- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Windows Security events not getting forwarded
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Windows Security events not getting forwarded
Hello team,
I am trying to monitor windows event logs and have installed the universal forwarded with relevant data. I am getting the Application and System logs, however the Security events are not being forwarded. I am adding the inputs.conf details below please let me know what is causing this.
###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 16350-16400
index = default_tier1_idx
renderXml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-10000
index = default_tier1_idx
renderXml=false
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 7000-7050
index = default_tier1_idx
renderXml=false
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
What user are you running your UF with? Local System? Or any other user?
Do you get any errors in your UF's log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Running this as a splunk user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
OK. So you're using a designated user, created specificaly for the installation of UF, right? This user most probably does not have sufficient permissions to read the Security Event Log.
The easiest way to grant this user privileges to read all event logs is to add it to the "EventLog readers" local group. But it gives the rights to read ALL event logs which in your case might not be what you want. In order to selectively grant permissions to single event logs, you have to fiddle with registry entries and SDDL (ugly as hell, I admit) - https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-loc...
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
